| # ========================LICENSE_START================================= |
| # O-RAN-SC |
| # %% |
| # Copyright (C) 2019 AT&T Intellectual Property |
| # %% |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # ========================LICENSE_END=================================== |
| |
| #=========================================================================== |
| # ESAPI Configuration |
| # |
| # If true, then print all the ESAPI properties set here when they are loaded. |
| # If false, they are not printed. Useful to reduce output when running JUnit tests. |
| # If you need to troubleshoot a properties related problem, turning this on may help. |
| # This is 'false' in the src/test/resources/.esapi version. It is 'true' by |
| # default for reasons of backward compatibility with earlier ESAPI versions. |
| ESAPI.printProperties=false |
| |
| # ESAPI is designed to be easily extensible. You can use the reference implementation |
| # or implement your own providers to take advantage of your enterprise's security |
| # infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like: |
| # |
| # String ciphertext = |
| # ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0 |
| # CipherText cipherText = |
| # ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred |
| # |
| # Below you can specify the classname for the provider that you wish to use in your |
| # application. The only requirement is that it implement the appropriate ESAPI interface. |
| # This allows you to switch security implementations in the future without rewriting the |
| # entire application. |
| # |
| # ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory |
| ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController |
| # FileBasedAuthenticator requires users.txt file in .esapi directory |
| ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator |
| ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder |
| ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor |
| |
| ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor |
| ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities |
| ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector |
| #ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory |
| ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer |
| ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator |
| |
| #=========================================================================== |
| # ESAPI Authenticator |
| # |
| Authenticator.AllowedLoginAttempts=3 |
| #Authenticator.MaxOldPasswordHashes=13 |
| Authenticator.UsernameParameterName=username |
| #Authenticator.PasswordParameterName=password |
| # RememberTokenDuration (in days) |
| Authenticator.RememberTokenDuration=14 |
| # Session Timeouts (in minutes) |
| Authenticator.IdleTimeoutDuration=20 |
| Authenticator.AbsoluteTimeoutDuration=120 |
| |
| #=========================================================================== |
| # ESAPI Encoder |
| # |
| # ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks. |
| # Failure to canonicalize input is a very common mistake when implementing validation schemes. |
| # Canonicalization is automatic when using the ESAPI Validator, but you can also use the |
| # following code to canonicalize data. |
| # |
| # ESAPI.Encoder().canonicalize( "%22hello world"" ); |
| # |
| # Multiple encoding is when a single encoding format is applied multiple times. Allowing |
| # multiple encoding is strongly discouraged. |
| Encoder.AllowMultipleEncoding=false |
| |
| # Mixed encoding is when multiple different encoding formats are applied, or when |
| # multiple formats are nested. Allowing multiple encoding is strongly discouraged. |
| Encoder.AllowMixedEncoding=false |
| |
| # The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs |
| # for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or |
| # inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important. |
| Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec |
| |
| |
| #=========================================================================== |
| # ESAPI Encryption |
| # |
| # The ESAPI Encryptor provides basic cryptographic functions with a simplified API. |
| # To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor |
| # There is not currently any support for key rotation, so be careful when changing your key and salt as it |
| # will invalidate all signed, encrypted, and hashed data. |
| # |
| # WARNING: Not all combinations of algorithms and key lengths are supported. |
| # If you choose to use a key length greater than 128, you MUST download the |
| # unlimited strength policy files and install in the lib directory of your JRE/JDK. |
| # See http://java.sun.com/javase/downloads/index.jsp for more information. |
| # |
| # Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API |
| # methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever |
| # possible, these methods should be avoided as they use ECB cipher mode, which in almost |
| # all circumstances a poor choice because of it's weakness. CBC cipher mode is the default |
| # for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0. In general, you |
| # should only use this compatibility setting if you have persistent data encrypted with |
| # version 1.4 and even then, you should ONLY set this compatibility mode UNTIL |
| # you have decrypted all of your old encrypted data and then re-encrypted it with |
| # ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode |
| # with the new 2.0 methods, make sure that you use the same cipher algorithm for both |
| # (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for |
| # more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods |
| # where you can specify a SecretKey. (Note that if you are using the 256-bit AES, |
| # that requires downloading the special jurisdiction policy files mentioned above.) |
| # |
| # ***** IMPORTANT: Do NOT forget to replace these with your own values! ***** |
| # To calculate these values, you can run: |
| # java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor |
| # |
| Encryptor.MasterKey=tzfztf56ftv |
| Encryptor.MasterSalt=123456ztrewq |
| |
| # Provides the default JCE provider that ESAPI will "prefer" for its symmetric |
| # encryption and hashing. (That is it will look to this provider first, but it |
| # will defer to other providers if the requested algorithm is not implemented |
| # by this provider.) If left unset, ESAPI will just use your Java VM's current |
| # preferred JCE provider, which is generally set in the file |
| # "$JAVA_HOME/jre/lib/security/java.security". |
| # |
| # The main intent of this is to allow ESAPI symmetric encryption to be |
| # used with a FIPS 140-2 compliant crypto-module. For details, see the section |
| # "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in |
| # the ESAPI 2.0 Symmetric Encryption User Guide, at: |
| # http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html |
| # However, this property also allows you to easily use an alternate JCE provider |
| # such as "Bouncy Castle" without having to make changes to "java.security". |
| # See Javadoc for SecurityProviderLoader for further details. If you wish to use |
| # a provider that is not known to SecurityProviderLoader, you may specify the |
| # fully-qualified class name of the JCE provider class that implements |
| # java.security.Provider. If the name contains a '.', this is interpreted as |
| # a fully-qualified class name that implements java.security.Provider. |
| # |
| # NOTE: Setting this property has the side-effect of changing it in your application |
| # as well, so if you are using JCE in your application directly rather than |
| # through ESAPI (you wouldn't do that, would you? ;-), it will change the |
| # preferred JCE provider there as well. |
| # |
| # Default: Keeps the JCE provider set to whatever JVM sets it to. |
| Encryptor.PreferredJCEProvider= |
| |
| # AES is the most widely used and strongest encryption algorithm. This |
| # should agree with your Encryptor.CipherTransformation property. |
| # By default, ESAPI Java 1.4 uses "PBEWithMD5AndDES" and which is |
| # very weak. It is essentially a password-based encryption key, hashed |
| # with MD5 around 1K times and then encrypted with the weak DES algorithm |
| # (56-bits) using ECB mode and an unspecified padding (it is |
| # JCE provider specific, but most likely "NoPadding"). However, 2.0 uses |
| # "AES/CBC/PKCSPadding". If you want to change these, change them here. |
| # Warning: This property does not control the default reference implementation for |
| # ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped |
| # in the future. |
| # @deprecated |
| Encryptor.EncryptionAlgorithm=AES |
| # For ESAPI Java 2.0 - New encrypt / decrypt methods use this. |
| Encryptor.CipherTransformation=AES/CBC/PKCS5Padding |
| |
| # Applies to ESAPI 2.0 and later only! |
| # Comma-separated list of cipher modes that provide *BOTH* |
| # confidentiality *AND* message authenticity. (NIST refers to such cipher |
| # modes as "combined modes" so that's what we shall call them.) If any of these |
| # cipher modes are used then no MAC is calculated and stored |
| # in the CipherText upon encryption. Likewise, if one of these |
| # cipher modes is used with decryption, no attempt will be made |
| # to validate the MAC contained in the CipherText object regardless |
| # of whether it contains one or not. Since the expectation is that |
| # these cipher modes support support message authenticity already, |
| # injecting a MAC in the CipherText object would be at best redundant. |
| # |
| # Note that as of JDK 1.5, the SunJCE provider does not support *any* |
| # of these cipher modes. Of these listed, only GCM and CCM are currently |
| # NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports |
| # GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other |
| # padding modes. |
| Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC |
| |
| # Applies to ESAPI 2.0 and later only! |
| # Additional cipher modes allowed for ESAPI 2.0 encryption. These |
| # cipher modes are in _addition_ to those specified by the property |
| # 'Encryptor.cipher_modes.combined_modes'. |
| # Note: We will add support for streaming modes like CFB & OFB once |
| # we add support for 'specified' to the property 'Encryptor.ChooseIVMethod' |
| # (probably in ESAPI 2.1). |
| # DISCUSS: Better name? |
| Encryptor.cipher_modes.additional_allowed=CBC |
| |
| # 128-bit is almost always sufficient and appears to be more resistant to |
| # related key attacks than is 256-bit AES. Use '_' to use default key size |
| # for cipher algorithms (where it makes sense because the algorithm supports |
| # a variable key size). Key length must agree to what's provided as the |
| # cipher transformation, otherwise this will be ignored after logging a |
| # warning. |
| # |
| # NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing! |
| Encryptor.EncryptionKeyLength=128 |
| |
| # Because 2.0 uses CBC mode by default, it requires an initialization vector (IV). |
| # (All cipher modes except ECB require an IV.) There are two choices: we can either |
| # use a fixed IV known to both parties or allow ESAPI to choose a random IV. While |
| # the IV does not need to be hidden from adversaries, it is important that the |
| # adversary not be allowed to choose it. Also, random IVs are generally much more |
| # secure than fixed IVs. (In fact, it is essential that feed-back cipher modes |
| # such as CFB and OFB use a different IV for each encryption with a given key so |
| # in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random |
| # IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and |
| # uncomment the Encryptor.fixedIV. |
| # |
| # Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.1 |
| Encryptor.ChooseIVMethod=random |
| # If you choose to use a fixed IV, then you must place a fixed IV here that |
| # is known to all others who are sharing your secret key. The format should |
| # be a hex string that is the same length as the cipher block size for the |
| # cipher algorithm that you are using. The following is an *example* for AES |
| # from an AES test vector for AES-128/CBC as described in: |
| # NIST Special Publication 800-38A (2001 Edition) |
| # "Recommendation for Block Cipher Modes of Operation". |
| # (Note that the block size for AES is 16 bytes == 128 bits.) |
| # |
| Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f |
| |
| # Whether or not CipherText should use a message authentication code (MAC) with it. |
| # This prevents an adversary from altering the IV as well as allowing a more |
| # fool-proof way of determining the decryption failed because of an incorrect |
| # key being supplied. This refers to the "separate" MAC calculated and stored |
| # in CipherText, not part of any MAC that is calculated as a result of a |
| # "combined mode" cipher mode. |
| # |
| # If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also |
| # set this property to false. |
| Encryptor.CipherText.useMAC=true |
| |
| # Whether or not the PlainText object may be overwritten and then marked |
| # eligible for garbage collection. If not set, this is still treated as 'true'. |
| Encryptor.PlainText.overwrite=true |
| |
| # Do not use DES except in a legacy situations. 56-bit is way too small key size. |
| #Encryptor.EncryptionKeyLength=56 |
| #Encryptor.EncryptionAlgorithm=DES |
| |
| # TripleDES is considered strong enough for most purposes. |
| # Note: There is also a 112-bit version of DESede. Using the 168-bit version |
| # requires downloading the special jurisdiction policy from Sun. |
| #Encryptor.EncryptionKeyLength=168 |
| #Encryptor.EncryptionAlgorithm=DESede |
| |
| Encryptor.HashAlgorithm=SHA-512 |
| Encryptor.HashIterations=1024 |
| Encryptor.DigitalSignatureAlgorithm=SHA1withDSA |
| Encryptor.DigitalSignatureKeyLength=1024 |
| Encryptor.RandomAlgorithm=SHA1PRNG |
| Encryptor.CharacterEncoding=UTF-8 |
| |
| # This is the Pseudo Random Function (PRF) that ESAPI's Key Derivation Function |
| # (KDF) normally uses. Note this is *only* the PRF used for ESAPI's KDF and |
| # *not* what is used for ESAPI's MAC. (Currently, HmacSHA1 is always used for |
| # the MAC, mostly to keep the overall size at a minimum.) |
| # |
| # Currently supported choices for JDK 1.5 and 1.6 are: |
| # HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and |
| # HmacSHA512 (512 bits). |
| # Note that HmacMD5 is *not* supported for the PRF used by the KDF even though |
| # the JDKs support it. See the ESAPI 2.0 Symmetric Encryption User Guide |
| # further details. |
| Encryptor.KDF.PRF=HmacSHA256 |
| #=========================================================================== |
| # ESAPI Logging |
| # Set the application name if these logs are combined with other applications |
| Logger.ApplicationName=portal_ric_dashboard |
| # If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true |
| Logger.LogEncodingRequired=false |
| # Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments. |
| Logger.LogApplicationName=true |
| # Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments. |
| Logger.LogServerIP=true |
| # LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you |
| # want to place it in a specific directory. |
| Logger.LogFileName=portal_ric_dashboard_esapi_log |
| # MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000) |
| Logger.MaxLogFileSize=10000000 |
| |
| |
| #=========================================================================== |
| # ESAPI Intrusion Detection |
| # |
| # Each event has a base to which .count, .interval, and .action are added |
| # The IntrusionException will fire if we receive "count" events within "interval" seconds |
| # The IntrusionDetector is configurable to take the following actions: log, logout, and disable |
| # (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable |
| # |
| # Custom Events |
| # Names must start with "event." as the base |
| # Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here |
| # You can also disable intrusion detection completely by changing |
| # the following parameter to true |
| # |
| IntrusionDetector.Disable=false |
| # |
| IntrusionDetector.event.test.count=2 |
| IntrusionDetector.event.test.interval=10 |
| IntrusionDetector.event.test.actions=disable,log |
| |
| # Exception Events |
| # All EnterpriseSecurityExceptions are registered automatically |
| # Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException |
| # Use the fully qualified classname of the exception as the base |
| |
| # any intrusion is an attack |
| IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1 |
| IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1 |
| IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout |
| |
| # for test purposes |
| # CHECKME: Shouldn't there be something in the property name itself that designates |
| # that these are for testing??? |
| IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10 |
| IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5 |
| IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout |
| |
| # rapid validation errors indicate scans or attacks in progress |
| # org.owasp.esapi.errors.ValidationException.count=10 |
| # org.owasp.esapi.errors.ValidationException.interval=10 |
| # org.owasp.esapi.errors.ValidationException.actions=log,logout |
| |
| # sessions jumping between hosts indicates session hijacking |
| IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2 |
| IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10 |
| IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout |
| |
| |
| #=========================================================================== |
| # ESAPI Validation |
| # |
| # The ESAPI Validator works on regular expressions with defined names. You can define names |
| # either here, or you may define application specific patterns in a separate file defined below. |
| # This allows enterprises to specify both organizational standards as well as application specific |
| # validation rules. |
| # |
| Validator.ConfigurationFile=validation.properties |
| Validator.ConfigurationFile.MultiValued=false |
| |
| # Validators used by ESAPI |
| Validator.AccountName=^[a-zA-Z0-9]{3,20}$ |
| Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$ |
| Validator.RoleName=^[a-z]{1,20}$ |
| |
| #the word TEST below should be changed to your application |
| #name - only relative URL's are supported |
| Validator.Redirect=^\\/test.*$ |
| |
| # Global HTTP Validation Rules |
| # Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=] |
| Validator.HTTPScheme=^(http|https)$ |
| Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ |
| Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$ |
| Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=@_ ]*$ |
| Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ |
| Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ |
| Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$ |
| Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ |
| Validator.HTTPContextPath=^\\/?[a-zA-Z0-9.\\-\\/_]*$ |
| Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$ |
| Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$ |
| Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$ |
| Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ |
| Validator.HTTPURL=^.*$ |
| Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$ |
| |
| # Validation of file related input |
| Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ |
| Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ |